b'                 UNITED STATES DEPARTMENT OF EDUCATION\n                                OFFICE OF INSPECTOR GENERAL\n\n                                        Information Technology Audits and Computer Crime Investigations\n\n\nDATE:       July 20, 2010\n\nTO:         Danny Harris\n            Chief Information Officer\n            Office of the Chief Information Officer\n\n            Richard Gordon\n            Chief Information Officer\n            Federal Student Aid\n\nFROM:\t      Charles E. Coe, Jr.      /s/\n            Assistant Inspector General\n\n\nSUBJECT:\t Investigative Program Advisory Report (IPAR)\n          Bypassing of Web Content Filtering (Case #10-110249)\n          Control No. \tL21K0001\n\n\nDepartment Program: Information Assurance\n\nThe Information Assurance (IA) Program serves as a major component within the Department of\nEducation (Department) for protecting information that is collected, processed, transmitted, or\ndisseminated in any form. The mitigation of risks to prevent the unauthorized disclosure,\nalteration, or destruction of Department information is vital to the successful execution of the\nDepartment\xe2\x80\x99s many business functions. The IA Security Policy establishes policies to ensure\ncompliance with Federal laws and regulations, thus ensuring adequate protection on the\nInformation Technology (IT) resources.\n\nIn the Office of the Chief Information Officer\xe2\x80\x99s (OCIO\xe2\x80\x99s) Security Policy Handbook, OCIO-01,\nsection 4.1.3.3, Internet, and OCIO 1-104, Personal Use of Government Equipment and\nInformation Resources, Section D, Policy to Filer Inappropriate Internet Material, the\nDepartment outlines policies related to the use of the Internet. The Department provides\nemployees with appropriate Internet access to facilitate research, learning, and the\naccomplishment of the Department\xe2\x80\x99s mission. In so doing, the Department exercises sound\njudgment in identifying suitable and worthwhile material for general access. The policy also\naddresses how an employee may legitimately access filtered sites through OCIO.\nDeficiencies and/or Mismanagement\n\nRecent investigations have revealed multiple users throughout the Department and specifically in\nFederal Student Aid (FSA) and OCIO have circumvented web filtering by\n                                                               Specifically, users use the\n                                                                                     to bypass\n\x0cPage 2 \xe2\x80\x93 IPAR \xe2\x80\x93Bypassing of Web Content Filtering\n\n\nBlue Coat web content filtering configurations. The              goes undetected under the\ncurrent Blue Coat configurations. \n\n\nThe most common usage has been to access web-based email and social networking sites. \n\nHowever, a user can access virtually any blocked site utilizing this technique if the\n              When interviewed, one employee indicated this practice was common throughout\nFSA.\n\nRecommendations\n\n1. It is recommended that OCIO and FSA OCIO educate users that bypassing web filtering is a\nviolation of Department policy that can expose the user and the Department to risks.\n\n2. It is recommended that OCIO and FSA OCIO assess whether it is practical to monitor\n       through Blue Coat, and if not consider other monitoring or filtering methods.\n\nPlease advise this office within 90 days of any corrective action taken or planned because of the\nrecommendations contained in this IPAR.\n\x0c'